Johnson, Winter and Slattery | | Dec 2020
The Consumer Data Right scheme came into effect [in Australia] for the banking sector earlier this year. It will evolve as it expands into the energy and telecommunications sectors until it applies economy-wide.
While the focus has been on the data sharing obligations, the CDR scheme extends beyond this. Record-keeping, the Privacy Safeguards and mandatory reporting obligations may already apply to organisations that hold data which has been designated as CDR data. Keeping abreast of developments is essential to remaining compliant.
What is the Consumer Data Right?
The key provisions of the CDR were introduced in August 2019 as Part IVD to the Competition and Consumer Act. The CDR is designed to increase consumer data portability, sector by sector, improving consumers’ ability to compare and switch between products and services, thus increasing competition and innovation within affected sectors.
Part IVD sets out the scope of data sharing obligations, the process by which data may be shared, data security requirements and some privacy safeguards. Data covered by the CDR scheme is designated by legislative instruments and relates to products offered by service providers (Product Data) and personal data about the consumers (Consumer Data). Further nuances to the application of the CDR (including when obligations to share Product Data and Consumer Data become mandatory) are set out in the CDR Rules and data standards.
The persons affected by the CDR scheme are:
- the entities holding Product Data and Consumer Data (i.e. “data holders”), who may be specifically identified (such as the four largest banks and energy retailers) or have received designated Product Data or Consumer Data under the CDR Rules,
- the consumers about whom the Consumer Data relates (“CDR Consumers”);
- persons who meet the security and other requirements and become accredited to collect or receive Consumer Data on behalf of a CDR Consumer (“accredited data recipients”) or on behalf of another accredited data recipient (such as an outsourced service provider); and
- the entity that acts as a conduit for CDR data between other data holders (“designated gateway”), which is only currently being considered for the Energy sector.
Data security and the Privacy Safeguards
The success of the CDR will depend on whether consumers trust the security and integrity of the sharing of their Consumer Data. For that reason, there is a strong focus on the data security and privacy of consumers, including:
- Privacy Safeguards: CDR data is subject to a set of 12 Privacy Safeguards that are at least equivalent to, or stronger than, the 12 Australian Privacy Principles (APPs). The Safeguards include obligations for entities to:
- provide compliant notifications when CDR data is used or disclosed within the scheme; and
- take reasonable steps to ensure CDR data is accurate, up to date and complete.
- Data security accreditation: If an entity wants to participate in the CDR, it must be able to prove to the ACCC that:
- it holds adequate insurance to cover the risks of managing CDR data;
- the infrastructure holding CDR data is sufficiently secure, including having data security features that are equivalent or better than those listed in the CDR Rules; and
- it has an internal dispute resolution process and is a member of the Australian Financial Complaints Authority.